[SOLVED] Ban every single login attempt which is using a specific domain as part of the username

[solbu]

Hi.
We have a small server that for 2 full days have been subject to a brute force attack on our imap-server.

They apparently have a vast amount of IPs that are part of this attack, and they are targeting a specific domain name, which our server only serves as a secondary MX for.
The real pop3/imap server is located at another site, and is locked down to the internal network only. (i.e. the actual pop3/imap server for the targeted domain does not have any way for users to read emails outside of our network)
This means that any login attempts to that domain on the publicly available pop3/imap server is an invalid login attempt.

So we need to figure out what regex to use which will ban every single attempt at logging in to «user@example.com», where the regexp should match the domain name, but not the username part.

A sample log line from /var/log/auth.log looks like this:
nov. 25 18:13:43 login auth[25976]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test@example.com rhost=10.0.58.9

Does anyone have an idea on a failregex that matches every attempt which tries to login to an «example.com» email address?

I have been trying for 6 hours to make it work, and I'm failing.
The one I got working did start banning IPs, but it also banned every valid user using other domain names in the username, which we obviously cannot live with. (I no longer have this config, as I got mad and almost lost my temper. So I erased it and had to take a break)

I am not good at writing regex-es so I don't really know what I'm doing…

[sebres]

Well you have a bit atypical timestamp nov. 25 18:13:43 in your example (which fail2ban would probably not find by default), so you have to specify datepattern = %%b\. %%d %%H:%%M:%%S.

In this case it will be found as a failure with pam-generic or dovecot jail (no matter with which domain).

PoC (fail2ban-regex for pam-generic and dovecot filters) ...

$ msg='nov. 25 18:13:43 login auth[25976]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test@example.com rhost=10.0.58.9'
$ fail2ban-regex -d '%b\. %d %H:%M:%S' "$msg" pam-generic

Running tests
=============

Use      datepattern : %b\. %d %H:%M:%S : MON\. Day 24hour:Minute:Second
Use   failregex filter file : pam-generic, basedir: /etc/fail2ban/
Use      single line : nov. 25 18:13:43 login auth[25976]: pam_unix(dovec...


Results
=======

Prefregex: 1 total
|  ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S+(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S+(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?\(?pam_unix(?:\(\S+\))?\)?:?\s+authentication failure;(?:\s+(?:(?:logname|e?uid)=\S*)){0,3} tty=\S* (?P<content>.+)$
`-

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^ruser=<F-ALT_USER>(?:\S*|.*?)</F-ALT_USER> rhost=<HOST>(?:\s+user=<F-USER>(?:\S*|.*?)</F-USER>)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] MON\. Day 24hour:Minute:Second
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

$ fail2ban-regex -d '%b\. %d %H:%M:%S' "$msg" dovecot

Running tests
=============

Use      datepattern : %b\. %d %H:%M:%S : MON\. Day 24hour:Minute:Second
Use   failregex filter file : dovecot, basedir: /etc/fail2ban/
Use      single line : nov. 25 18:13:43 login auth[25976]: pam_unix(dovec...


Results
=======

Prefregex: 1 total
|  ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?:conn \w+:auth(?:-worker)? \(uid=\w+\): auth(?:-worker)?<\d+>: )?(?P<content>.+)$
`-

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] MON\. Day 24hour:Minute:Second
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

If you want find such messages with specified domain only (or vice versa any other as some whitelisting), you can make your own jail:

[wrong-domain]
logpath = /var/log/auth.log
filter =
port = 25,110,143,465,587,993,995
maxretry = 1
## (blacklist) matches only domains (example.com and other.tld):
#_wrong_domains = (?:example\.com|other\.tld)
# (whitelist) matches any domain excepting correct-domain.tld:
_wrong_domains = (?!correct-domain\.tld\s)\S+
failregex = ^\s*\S+ auth\[\d+\]: pam_\S+\(dovecot:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=[^@]*@%(_wrong_domains)s rhost=<ADDR>
enabled = true

This should ban after every single attempt if domain matches something specified in _wrong_domains.

[solbu]

The «atypical» timestamp is the normal Debian timestamp. I have yet to login to a Debixn box that did Not have this timestamp format in the logs. Even my Mageia server have this timestamp format.
I have no idea if the fact that I use norwegian language by default is behind it. :-)

I also see that my existing filter configs have a datepattern line.

I tested your suggestion, and I cannot make even that work.

I enteres it into a test.conf jail, and this was the result

Running tests
=============

Use   failregex line : test.conf
ERROR: No failure-id group in 'test.conf'

So I copied the dovecot.conf filter into a new test-filter, replacing the failregex with your filter lines
and did the same with the dovecot.conf jail config, using your working sugestion, and this was the result of the regex test:

Running tests
=============

Use   failregex filter file : dovecot-kristenirc, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : test-dove.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [100] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 100 lines, 0 ignored, 0 matched, 100 missed
[processed in 0.02 sec]

Any other ideas? :-)
We are running Debian 10, if that makes any difference (al thou I fail to see why that would matter).

[solbu]

Right. So i got it right the first time, even if it didn't work.
By providing 3 solutions and apparently opting for one I hadn't mentioned kinda threw me off at first. ;-)

I'll try the new setup and see if it works.

[solbu]

And Success!

Thank you so much! :-)

Had to tweak it a little now that i understood the code you suggested, but now it works. It has already started banning offenders.

For future reference, this is what worked on our Debian 10 system.
filter.d/dovecot-example.conf

[Definition]
_wrong_domains = (?:example\.com)

failregex = ^\s*\S+ auth: pam_unix\(dovecot:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=[^@]*@%(_wrong_domains)s rhost=<ADDR>

datepattern = %%b %%d %%H:%%M:%%S

jail.d/dovecot-example.conf

[dovecot-example]
logpath  = /var/log/auth.log
filter   = dovecot-example
port     = 25,110,143,465,587,993,995
maxretry = 1
enabled  = true

[solbu]

And since the attackers reuse some of the IPs a day latr, we have opted for a bantime of 7 days.

[sebres]

Glad it works...
Just I would additionally anchor the datepattern, to be more accurate, since the timestamp is always at begin of the line

- datepattern = %%b %%d %%H:%%M:%%S
+ datepattern = ^%%b %%d %%H:%%M:%%S

[solbu]

Good catch! :D
Will do that.